// the find
ComplianceAsCode/content
Security automation content in SCAP, Bash, Ansible, and other formats
ComplianceAsCode/content is the upstream source for scap-security-guide packages shipped in RHEL, Fedora, and Ubuntu. You write security rules once in a YAML format and the build system generates SCAP data streams, Ansible playbooks, and Bash scripts targeting NIST 800-53, STIG, CIS, PCI-DSS, and other frameworks. If your org needs to demonstrate compliance against one of those frameworks on Linux, this is the most serious open-source option available.
- Write-once, generate-many: a single YAML rule with an OVAL check and Ansible snippet produces SCAP XML, a playbook, and a Bash remediation script — no manual format conversion.
- Framework coverage is real, not checkbox-ware: STIG, CIS, OSPP, PCI-DSS, HIPAA profiles exist with actual rule mappings back to control IDs, not just tagged keywords.
- Active CI pipeline with nightly builds across RHEL, Fedora, Ubuntu, Debian, and SLES keeps the content from quietly rotting — each product gets its own test matrix.
- CEL content for Kubernetes/OpenShift lets you run the same rule logic through the compliance-operator without needing shell access to nodes, which matters for managed clusters.
- The build system requires a full Linux toolchain (CMake, Python, OpenSCAP libraries) — there is no easy way to contribute or test rules on macOS or Windows without a container or VM.
- OVAL XML is still the primary check language for non-Kubernetes platforms; it is verbose, hard to read, and error-prone to write by hand — the templating helps but does not hide the underlying complexity.
- Rule coverage is uneven across platforms: RHEL 8/9 have hundreds of rules, newer Ubuntu releases and SLES are noticeably thinner, so you may find gaps exactly where you need them.
- No first-class drift detection story — you can scan and remediate, but correlating results over time or tracking which machines are out of compliance requires external tooling (OpenSCAP daemon, compliance-operator, or your own pipeline).